“Ok, why is literally everybody and their mom talking about Sui right now?”
If that’s you – hey, you know we got you. Let’s put an end to the pain of being unaware:
Yesterday, the Sui blockchain experienced the biggest DeFi hack of 2025.
A hacker stole $223M from Cetus, the largest DEX aggregator on Sui.
FYI: that’s about 94% of what the platform had in total value locked (TVL) the day before. So yeah, pretty big deal.
|
“But… how?”, said you, maybe.
Like I said – don’t worry, we got you.
The attacker exploited a flaw in Cetus’ smart contracts – and according to HackenProof CTO Alex Horlan, this is how the whole thing went down:
Step 1. Making a garbage token look valuable
The attacker made their own token – just a worthless coin called BULLA.
Now, on most DEXs, prices are set by how many coins are sitting in a pool. If there’s a lot of BULLA and only a little SUI (a legit token), the system assumes BULLA must be really valuable – because it thinks it takes a lot of BULLA to buy just a little SUI.
So the hacker dumped tons of BULLA into the pool and added just a bit of SUI. Now the pool’s price math was tricked: it thought 1 BULLA was worth a lot of SUI, when really, it was garbage.
Step 2. Setting up a fake liquidity pool
Next, the hacker used BULLA to create a new liquidity pool – this time adding almost nothing to it, just enough to set it up.
When someone starts a new liquidity pool, they get LP tokens in return. These LP tokens are like a receipt showing what percent of the pool you own, and later you can trade them in to get your share of the real tokens in the pool.
But the system still thinks the fake token is super expensive, so when the attacker adds a tiny bit of it into the pool, it treats that like a massive deposit. As a result, the hacker gets a huge number of LP tokens – way more than they actually deserve.
Step 3. Cash out
Now armed with those LP tokens, the hacker starts removing liquidity – exchanging their LP tokens for real tokens from the pool.
Because the system’s math is broken from the earlier trick, it lets them keep pulling out real money – again and again – even though they barely put anything real in to begin with.
I know. Crazy stuff.
|
And the result was a mess:
Craaaazy stuff.
Cetus scrambled to respond:
-
Paused all smart contracts to prevent more damage;
-
Teamed up with the Sui Foundation and froze around $162M of the hacker’s funds. Sadly, the hacker had already bridged about $60M over to Ethereum;
-
Offered a white hat bounty – up to $6M – if the attacker returns the Ether.
Which sounds like a pretty solid response.
But many people went like, “Uhhh… pause. Sui can freeze funds?”
Yeah, if someone can just halt transactions, it feels a lot like the traditional banking system. And for a network that calls itself decentralized, that’s a big red flag.
On the other hand, people like crypto sleuth Matteo pointed out that what happened wasn’t centralized control – it was decentralization in action.
According to him, Sui validators from all over the world independently coordinated to stop a known malicious wallet. No one gave orders, no one had to ask permission. They just chose to act.
That, he said, is what true decentralization looks like – not being powerless, but being able to respond together as a network.
And it probably was the right choice. If you can stop someone from stealing, why wouldn’t you?
But even if this made sense, it left a crack in the idea that Sui was fully decentralized.
So yeah. And that, friends, is why everyone is freaking out about Sui. The pain of unawareness has been released.
|
Now you’re in the know. But think about your friends – they probably have no idea. I wonder who could fix that… 😃🫵 Spread the word and be the hero you know you are! |
